NIST Releases ICS Cybersecurity Guidance for Manufacturers
NIST guide provides examples of commercial products that manufacturers can use to address specific security risks
The National Institute of Standards and Technology (NIST) on Wednesday announced the final version of a special publication focusing on helping manufacturers improve the cybersecurity of their industrial control system (ICS) environments.
The new cybersecurity practice guide is titled “NIST SP 1800-10, Protecting Information and System Integrity in Industrial Control System Environments: Cybersecurity for the Manufacturing Sector.” It is the result of collaboration between NIST’s National Cybersecurity Center of Excellence (NCCoE), MITRE, and several private sector companies, including Microsoft, Dispel, Forescout, Dragos, OSIsoft, TDi Technologies, GreenTec, Tenable and VMware.
The authors of the guidance point out that while connecting operational technology (OT) and information technology (IT) systems can be beneficial for a manufacturer’s productivity and efficiency, this also makes them more vulnerable to cyber threats.
The new publication, which is available to organizations free of charge, aims to address some of the associated challenges, including mitigating ICS integrity risks, strengthening OT systems, and protecting the data they process.
The 369-page document describes common attack scenarios and provides examples of practical solutions that manufacturers can implement to protect ICS from destructive malware, insider threats, unauthorized software, unauthorized remote access, anomalous network traffic, loss of historical data, and unauthorized system modifications.
The examples described in the guide focus on application allowlisting, behavior anomaly detection, file integrity checks, remote access, user authentication and authorization, and detection of modifications to hardware, software or firmware.
Learn more about protecting industrial systems at SecurityWeek’s ICS Cyber Security Conference
One of the attack scenarios described in the document involves protecting a workstation in the manufacturing environment from malware infections delivered via USB flash drives. These types of infections can be prevented using application allowlist capabilities in Carbon Black (VMware) and Windows Software Restriction Policies (SRP).
If the attack vector is the corporate network instead of a USB drive, the guide recommends allowlist capabilities provided by Carbon Black and Windows SRP, as well as solutions from Dragos, Tenable, Forescout and Microsoft for behavior anomaly detection.
Other theoretical attack scenarios covered by the guide include protecting hosts from malware delivered through remote access connections, protecting hosts from unauthorized application installations, preventing unauthorized devices from being added to the network, detecting unauthorized communications between devices, detecting unauthorized modifications to PLC logic, preventing historian data modifications, detecting sensor data manipulation, and detecting unauthorized firmware changes.
Manufacturers are provided step-by-step instructions on how each vendor’s products can be installed and configured to address the described attack scenarios.
There is also a chapter for program managers and middle management decision-makers to help them decide what technologies they want to use to address OT security issues in their facilities.
“Organizations that don’t have the time or wherewithal to verify and validate industrial cybersecurity technology categories for their use cases will find the output paramount,” Dragos explained in a blog post describing the guide. “At the same time, the fact that a government agency led the effort impartially means that the documents will not have any extreme vendor slant. The goal was not to pick product winners and losers but instead to help organizations simply understand the types of technology available and how to deploy/integrate them for an improved return on investment.”
NIST is currently also working on another cybersecurity guide for manufacturers, one focusing on responding to and recovering from a cyberattack. That publication is currently a draft in the public comment period.